How to give common user the rights to access inner resource?

[gjethro]

I have a lan(192.168.1.*) ,wingate ip as 192.168.1.1 and set www proxy server use java client authentication.
Now I use java program writen by me to access outer website and inner website in the same time,
When hasn't logined to wingate , the inner website is ok,
When has logined to wingate use user has full access right, both ok;
When has logined to wingate use user has no full access right , the outer website is ok BUT the inner website cannot been accessed. I check the logs of wingate, find that the user was authorization failed, how can i config wingate let common user has right to access inner resources?

I hava configed the IE not use proxy for inner lan but it seems not work, the data is still been sent to wingate, so please help, thanks.

[gjethro]

I thinks this is a simple question, but ... , please help!

[javila]

even giving the user adminsitrator rights?

[adrien]

you can always add a recipient to the policies to grant your internal users access to a specific resource.

How does your Java applet make this connection, or is it the web browser that does this? that will make a difference as to which service you need to edit the rights for.

Adrien

[gjethro]

this is my program snippet, pls help! (it's not in a java applet, is a gui programm)

URL url = new URL(urlString);
URLConnection urlconnection = url.openConnection();
urlconnection.setDefaultUseCaches(false);
urlconnection.setAllowUserInteraction(true);
urlconnection.setDoInput(true);
urlconnection.setDoOutput(false);
urlconnection.setUseCaches(false);
urlconnection.setRequestProperty("Pragma", "no-cache");
urlconnection.setRequestProperty("Cache-Control", "no-cache");
urlconnection.setRequestProperty("Expires", "-1");
urlconnection.setRequestProperty("Content-type", "text/html");
InputStream inputstream = urlconnection.getInputStream();

I think wingate should know the connection is come from LAN protected by it (It does know in fact), and should let it alone to resources of the LAN, should not re-authenticate it, because both the source and the destination are in the same LAN protected by wingate!!! But now, wingate do authenticating and refuse the connection request. so can u tell me if there is a simple way to disable the re-authenticate for protected LAN?

thanks!

[adrien]

you have several options

Option 1.
WinGate will only require authentication up to the level required by the policy for the service or the default policies.

If for instance you set the policy setting to "user may be assumed" then normal users will need to authenticate to raise their security level. Then you could add an assumption for the IP address of the client machine running the Java applet. It will then be deemed assumed, and will not be required to authenticate.

Option 2.

You could add another recipient to the access rights for the WWW proxy such that your java client (either by IP or by what it is requesting) is allowed without having to authenticate.

Adrien

[gjethro]

adrien:

Both options is not so good, will cause security problem or inconvinience

Option 1 : assumption for the IP address of the client machine will give the IP address more rights, and when move the program to another ip, must change the setting. and how can do if the source is dynamic IP? (Assumption for the IP address is not a good method in most situation, we always use user authentication)

Option 2 : must add another user, and must swith to these use when use the progrm, it's very inconvinience.

So, I setup a group and add a filter as: Advanced--Specify which request this receipient has--Internal LAN--Server IP start with 192.168.1, grant Internal access to the group.

BUT this is still not so good, It should be wingate's responsbility to judge if the request is come from protected LAN, and if the destination is in the same LAN, and let the request forward without any authentication(or have a option to do this). I think this is the only right way. I hope this suggest will be add to future version.

Any way, Thanks!